/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=2 sw=2 et tw=78: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "WindowNamedPropertiesHandler.h" #include "mozilla/dom/WindowBinding.h" #include "nsDOMClassInfo.h" #include "nsGlobalWindow.h" #include "nsHTMLDocument.h" #include "nsJSUtils.h" #include "xpcprivate.h" namespace mozilla { namespace dom { static bool ShouldExposeChildWindow(nsString& aNameBeingResolved, nsIDOMWindow *aChild) { // If we're same-origin with the child, go ahead and expose it. nsCOMPtr sop = do_QueryInterface(aChild); NS_ENSURE_TRUE(sop, false); if (nsContentUtils::SubjectPrincipal()->Equals(sop->GetPrincipal())) { return true; } // If we're not same-origin, expose it _only_ if the name of the browsing // context matches the 'name' attribute of the frame element in the parent. // The motivations behind this heuristic are worth explaining here. // // Historically, all UAs supported global named access to any child browsing // context (that is to say, window.dolske returns a child frame where either // the "name" attribute on the frame element was set to "dolske", or where // the child explicitly set window.name = "dolske"). // // This is problematic because it allows possibly-malicious and unrelated // cross-origin subframes to pollute the global namespace of their parent in // unpredictable ways (see bug 860494). This is also problematic for browser // engines like Servo that want to run cross-origin script on different // threads. // // The naive solution here would be to filter out any cross-origin subframes // obtained when doing named lookup in global scope. But that is unlikely to // be web-compatible, since it will break named access for consumers that do //